Announcement Announcement Module
No announcement yet.
Trying to Authenticate in Exported POJO Method Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trying to Authenticate in Exported POJO Method


    We are using the JSONRPC remote exporter and want to expose a "login" method where we will make calls on Spring Security to authenticate and cause a JSESSIONID to get created.

    The code we are using looks like

    MSUserDetailsService userService = new MSUserDetailsService();
    Authentication auth = new UsernamePasswordAuthenticationToken(
    userService.loadUserByUsername(user), pass);
    auth = authenticationManager.authenticate(auth);
    SecurityContextHolder.getContext().setAuthenticati on(auth);

    Quoting the developer who is most directly involved: "The above code should also ideally persist the authentication information inside the session. But, when UI makes a second call after login call, Server is throwing an exception saying “Authentication object not found”. However, the above logic works fine in prototype code. We are investigating on this and trying to root cause the issue."

    Any ideas or chance could point us in the right direction?


  • #2
    There are a few FAQs that may help. You can find the two relevant ones here and here.

    Some additional information may be useful. For example, what does the HTTP request/response look like when authenticating and when making the second call? Are you certain the client is sending the JSESSIONID in the second call? If this does not help you, can you post the request/response here?

    What does the Spring Security configuration look like (include Spring config and web.xml)? The configuration should ensure that Spring Security is processing the URL that the login is performed otherwise SecurityContextPersistenceFilter will not be invoked and thus it will not be pushed into session. A few things to check are to ensure that the springSecurityFilterChain is mapped to all URLs, ensure that the <http> block is intercepting the request (i.e. not specified to security="none"). Also ensure that <intercept-url filters="none"/> is not used. Rather than using security=none or filters=none you can use access=permitAll.

    PS: When posting code, logs, configuration, etc please use the code tags (i.e. the # button) so it is easier to read